Skynet Skynet - Router Firewall & Security Enhancements

[gwopman]

I guess this is a reason to upgrade from my N16 i thought john fork might update ipset but it's still on 4.2.

 

[Adamm]

I guess this is a reason to upgrade from my N16 i thought john fork might update ipset but it's still on 4.2.

Yeah unfortunately MIPS routers are based on an ancient kernel so Skynet doesn’t support them.

 

[gwopman]

Yeah unfortunately MIPS routers are based on an ancient kernel so Skynet doesn’t support them.

No problem..... Went to the store today and came home with a AC66U B1
Almost got a Blue Cave but then i heard it maybe didnt have the best reviews.

 

[From Michigan]

Thanks so much for the quick reply.

That worked just fine.

I just tried to connect to the TOR network and it is being blocked successfully now.

Will this be persistent? Or will I have to add this list in the future?

THANKS AGAIN !!!!!

Is there a way to set this up where it auto updates the list every hour?

sh /jffs/scripts/firewall import blacklist xxxxxxxx.com

I have added the TOR proxy block list but it updates several times an hour and is out of date within a day or two for sure.

Thanks Again.. Mike in Michigan

 

[Adamm]

Is there a way to set this up where it auto updates the list every hour?

sh /jffs/scripts/firewall import blacklist xxxxxxxx.com

I have added the TOR proxy block list but it updates several times an hour and is out of date within a day or two for sure.

Thanks Again.. Mike in Michigan

Use the "custom banmalware filter" option and add it to the default list.

 

[DonnyJohnny]

Is there a way to set this up where it auto updates the list every hour?

sh /jffs/scripts/firewall import blacklist xxxxxxxx.com

I have added the TOR proxy block list but it updates several times an hour and is out of date within a day or two for sure.

Thanks Again.. Mike in Michigan

Use the following command

cru d Skynet_banmalware
cru a Skynet_banmalware "10 */1 * * * sh /jffs/scripts/firewall banmalware"

This will update the custom list every hour at its 10 min. I put 10min because I don’t want to stress the cpu as Skynet have a cron job at every hr at 00min.

If you want the command to be in effect, you can add it in /jffs/scripts/firewall-start
Put it in the end of the script.

 

[DonnyJohnny]

Just a update for anyone using ZeroDot’s TheCoinBreakerList.
It has moved from GitHub to GitLab and Github list will be discontinued. Please update your banmalware custom list.

https://github.com/firehol/blocklist-ipsets/issues/67

https://gitlab.com/ZeroDot1/CoinBlockerLists/issues/1

 

[ryzhov_al]

Again my guess is this is due to entware (and will also be fixed by running the installer again), their installer is terrible in the fact it overwrites several jffs scripts completely. @ryzhov_al @zyxmon would be great if you guys could improve this, there's really no need to overwrite files.

PR's are welcome. I don't have any of asuswrt-based devices.

 

[MSL123]

Quick question - is there anyway to show stats for the past 24 hours while still retaining all the debug info? I don't want to clear all my historical data daily however I'd like to update my daily report to only show stats for the past 24 hours. Is this possible?

 

[From Michigan]

Use the following command

cru d Skynet_banmalware
cru a Skynet_banmalware "10 */1 * * * sh /jffs/scripts/firewall banmalware"

This will update the custom list every hour at its 10 min. I put 10min because I don’t want to stress the cpu as Skynet have a cron job at every hr at 00min.

If you want the command to be in effect, you can add it in /jffs/scripts/firewall-start
Put it in the end of the script.

Thanks DonnyJohnny for posting the above fix for me. Have a Great Weekend....Mike in Michigan

 

[gwopman]

tl;dr : I did read post #2 but i was curious about multiple different sites using Shopify being blocked and nothing else. Not sure if unblocking those specific IP's will keep all Shopify sites from being blocked or if they all happen to be on the block list for any reason?

I have no idea what i did to my Skynet install, but i was finding i couldn't get to certain sites at all and found lots of outgoing blocked lines in the ASUSWRT system log. I disabled skynet, was able to get thru, but accidentally uninstalled it so i reinstalled it with the exact same settings except filtering incoming only and now i can get through. Should i manually whitelist those sites and re-enable outgoing blocking? The only thing they all had in common was they were all Shopify web stores.

should i be looking to unblock the shopify range or something? perhaps i should go thru the list of blocked ip's manually?

Wish there was a firewall error page so it was more obvious when it's the firewall stopping you but i know thats not a Skynet problem

Thanks in advance!

edit: never mind, can't get back on those shopify sites, all blocked on inbound now.

 

[Adamm]

Quick question - is there anyway to show stats for the past 24 hours while still retaining all the debug info? I don't want to clear all my historical data daily however I'd like to update my daily report to only show stats for the past 24 hours. Is this possible?

Not at this time as the log is based on total size, not a specific amount of days.

tl;dr : I did read post #2 but i was curious about multiple different sites using Shopify being blocked and nothing else. Not sure if unblocking those specific IP's will keep all Shopify sites from being blocked or if they all happen to be on the block list for any reason?

I have no idea what i did to my Skynet install, but i was finding i couldn't get to certain sites at all and found lots of outgoing blocked lines in the ASUSWRT system log. I disabled skynet, was able to get thru, but accidentally uninstalled it so i reinstalled it with the exact same settings except filtering incoming only and now i can get through. Should i manually whitelist those sites and re-enable outgoing blocking? The only thing they all had in common was they were all Shopify web stores.

should i be looking to unblock the shopify range or something? perhaps i should go thru the list of blocked ip's manually?

Wish there was a firewall error page so it was more obvious when it's the firewall stopping you but i know thats not a Skynet problem

Thanks in advance!

edit: never mind, can't get back on those shopify sites, all blocked on inbound now.

Refer to this post how to whitelist an IP. There are also commands for whitelisting multiple IP's linked to a domain.

 

[gwopman]

Thanks, i ended up finding out all those sites using the same service linked back to the same ip which threw me off. They all work after whitelisting that one ip

 

[MSL123]

Checking my syslog I am seeing failed connection attempts to the Asus openvpn server with a WARNING: Bad encapsulated packet length from peer (5635) error. Can I presume that if they are showing up in syslog this way then they were not caught with Skynet?

If so, I am thinking about trying to script a daily job to look for these entries in the log, strip the IPs and add them to the manual ban list. Question here is there a practical limit to the manual ban list size?

 

[gwopman]

Checking my syslog I am seeing failed connection attempts to the Asus openvpn server with a WARNING: Bad encapsulated packet length from peer (5635) error. Can I presume that if they are showing up in syslog this way then they were not caught with Skynet?

If so, I am thinking about trying to script a daily job to look for these entries in the log, strip the IPs and add them to the manual ban list. Question here is there a practical limit to the manual ban list size?

Things Skynet blocks should show up in the main router log page, is my understanding of it.

 

[Adamm]

Checking my syslog I am seeing failed connection attempts to the Asus openvpn server with a WARNING: Bad encapsulated packet length from peer (5635) error. Can I presume that if they are showing up in syslog this way then they were not caught with Skynet?

If so, I am thinking about trying to script a daily job to look for these entries in the log, strip the IPs and add them to the manual ban list. Question here is there a practical limit to the manual ban list size?

No, its just a number that can be modified at any time, currently is 500000

 

[MSL123]

No, its just a number that can be modified at any time, currently is 500000

Checking the logs again, it appears that the attacks are continuing even though the IPs are in the ban list. So the openvpn server is not monitored by Skynet. I'm guessing I could add these directly to iptables - thoughts?

 

[Adamm]

Checking the logs again, it appears that the attacks are continuing even though the IPs are in the ban list. So the openvpn server is not monitored by Skynet. I'm guessing I could add these directly to iptables - thoughts?

Any IP on Skynets blacklist you will not be able to establish any type of connection with.

 

[MSL123]

Here is what I am seeing in the logs, both before and after I added the IP to the ban list. So you are saying that if a connection was established with openvpn, then Skynet would block it? Does not appear it is blocking the initial connection attempts.

2018-06-19T17:03:42-06:00 Asus_Merlin ovpn-server1 107.22.72.7 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

 

[Goobi]

Anyway to have skynet log to another file instead of syslog? Love keeping stats, but blocks are so frequent that you can’t see anything but blocks making observing other activity (especially anything abnormal) next to impossible.